SECURITY
SECURITY
SECURITY
500M+ Android users exposed to vulnerability in Alibaba’s UC Browser
UC Browser, a web browser offered on the Google Play Store with more than 500 million downloads, has been found to contain a vulnerability that could allow hackers to insert malicious files on a user’s device.
Discovered by researchers at antivirus firm Doctor Web Ltd. and revealed Tuesday, the vulnerability relates to how the browser download updates. Instead of downloading updates via Google Play, the browser downloads updates through a direct HTTP communication, introducing the risk of a man-in-the-middle attack. A so-called MitM attack occurs when a third party intercepts data between two points, stealing that data or inserting their own code.
UC Browser, designed by UCWeb Inc, a fully owned division of Chinese e-commerce giant Alibaba Group Holding Co. Ltd., downloads updates via an unsecured web connection, opening the door to such an attack. Worse still, this breaks Google Play’s terms and conditions. All apps in the store must provide updates from Google Play for security purposes.
“This violates Google Inc’s rules and poses a serious threat because it enables any code, including malicious ones, to be downloaded to Android devices,” the researchers noted.
The same vulnerability also afflicts UC Browser Mini, a separate app from the same company with more than 100 million downloads in the Google Play Store.
Usman Rahim, digital security and operations manager at The Media Trust, told SiliconANGLE that browsers and other apps are being developed ever faster but with a traditional security mindset where the security deficiencies of a product are determined after it has been designed. “Third parties are often not carefully vetted for security capabilities,” he said. Moreover, security considerations fail to receive the priority and resources they require, treated as unnecessary costs.
“Companies shouldn’t wait until they fall victim to an attack or to benign negligence,” Rahim said. “They should build data security and compliance into an app’s entire product lifecycle; they need to scan their apps to find out what happens to users who download, use, and update the app.”
Image: UC Browser/Google Play
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
